whoop-ai-mcp

An MCP (Model Context Protocol) server that connects AI assistants like Claude to your WHOOP health and fitness data. Ask questions about your recovery, sleep, workouts, and more — all through natural conversation.

📦 Published on the MCP Registry as io.github.shashankswe2020-ux/whoop — discoverable by any MCP-compatible client.

Features

• 🏋️ 14 health data tools — recovery, sleep, workouts, cycles, body measurements, profile, weekly summaries, trend analysis, period comparisons, individual record lookups, today's snapshot, and calendar grid
• 📊 4 MCP Resources — ambient health context (latest recovery, sleep, cycle, profile) available without explicit tool calls
• 💬 5 MCP Prompts — guided conversation starters for common health queries
• 📅 Rich natural date expressions — use "last 7 days", "this week", "last 2 weeks", "last 3 months", "this quarter", "last year", "2026-05", and more
• 📈 Built-in analytics — weekly summaries, trend detection (linear regression), and period comparisons computed server-side
• 🔐 Secure OAuth2 — browser-based authentication with automatic token refresh
• 🔄 Resilient — automatic retry on rate limits, token refresh on expiry, auto-pagination, clear error messages
• 💾 Secure token storage — tokens stored at ~/.whoop-mcp/tokens.json with 0600 permissions
• ⚡ Zero config — just add your WHOOP app credentials and go
• 📦 Lightweight — only two runtime dependencies (@modelcontextprotocol/sdk + zod)

Quick Comparison (WHOOP MCP packages on npm)

Based on npm search results for whoop mcp on 2026-05-30.

Why this package stands out

• Published to npm and the official MCP Registry (via mcpName metadata)
• Most feature-rich standalone server: 14 tools + 4 resources + 5 prompts + analytics + auto-pagination
• Only 2 runtime dependencies (lightest footprint among full-featured options)
• No external infrastructure required (no SQLite, no Express, no relay servers)

Deep comparison ratings (WHOOP MCP packages on npm)

Evidence basis: npm registry metadata + npm-hosted README signals + package manifest fields (dependencies, repository, mcpName) collected on 2026-05-30.

Scoring dimensions (0–5):

• Security & resilience (35%): documented OAuth, token refresh, retry/backoff, secure token file permissions (0600), no shared relay
• Freshness (25%): recency of latest npm publish
• Docs & verification signals (25%): README coverage for OAuth, testing, changelog/release notes, and MCP Inspector usage
• Discoverability & portability (15%): MCP Registry metadata (mcpName), repository metadata present, lean runtime dependency count, no external infra required

Ratings are documentation/metadata-driven and are not a source-code security audit.

🎥 Video Walkthrough

Watch a detailed walkthrough of setting up and using whoop-ai-mcp with Claude Desktop:

Covers: creating a WHOOP Developer App, configuring Claude Desktop, OAuth authentication, and querying your health data through natural conversation.

Prerequisites

1. A WHOOP account with an active membership
2. A WHOOP Developer App — create one at developer.whoop.com
   • Set the redirect URI to http://localhost:3000/callback
3. Node.js >= 20

Get a WHOOP

Don't have a WHOOP yet? Here's how to get started:

• 🛒 Buy a WHOOP on Amazon — WHOOP peak on Amazon
• 🔗 Join WHOOP directly — whoop.com/membership

Quickstart (MCP Registry)

This server is published on the official MCP Registry. MCP clients that support the registry can discover and install it automatically:

Server name: io.github.shashankswe2020-ux/whoop

You can also browse it via the registry API:

curl "https://registry.modelcontextprotocol.io/v0.1/servers?search=io.github.shashankswe2020-ux/whoop"

Quickstart (Claude Desktop)

Add this to your Claude Desktop configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "whoop": {
      "command": "npx",
      "args": ["whoop-ai-mcp"],
      "env": {
        "WHOOP_CLIENT_ID": "your_client_id",
        "WHOOP_CLIENT_SECRET": "your_client_secret"
      }
    }
  }
}

Replace your_client_id and your_client_secret with the credentials from your WHOOP Developer App.

On first launch, a browser window will open for you to authorize access to your WHOOP data. After authorizing, tokens are cached locally and refresh automatically.

Then ask Claude something like:

"How am I doing today?"

"Show me my sleep data from the last 3 days"

"What workouts did I do this month?"

"Is my HRV trending up or down?"

"Give me a weekly health summary"

"Show me my recovery calendar for last 2 weeks"

whoop-mcp connected in Claude Desktop:

Chatting with WHOOP data through Claude:

Weekly Health Report demo (Claude Desktop):

Installation

Via npx (recommended)

No installation needed — Claude Desktop runs it automatically with the config above.

Global install

npm install -g whoop-ai-mcp

From source

git clone https://github.com/shashankswe2020-ux/whoop-mcp.git
cd whoop-mcp
npm install
npm run build

Setup wizard (whoop-ai-mcp setup)

For a guided installation that writes the Claude Desktop config (or prints the registration command for Claude Code, Codex, or GitHub Copilot) and verifies your WHOOP credentials in one go:

npx whoop-ai-mcp setup

Flags:

• --client=claude-desktop (default) writes/merges claude_desktop_config.json with an automatic .bak backup.
• --client=claude-code prints the equivalent claude mcp add command.
• --client=codex prints the equivalent codex mcp add command (registers the server in ~/.codex/config.toml).
• --client=copilot prints the equivalent code --add-mcp command for GitHub Copilot in VS Code.
• --verify runs the OAuth flow end-to-end and fetches your profile to confirm everything is wired correctly before exiting.
• --client-id / --client-secret skip the interactive prompts (useful for scripts; secrets entered interactively are masked).

If WHOOP_CLIENT_ID and WHOOP_CLIENT_SECRET are already exported in your shell, the wizard uses them automatically — no prompts. Combine with --verify to do a one-shot config-correctness check:

WHOOP_CLIENT_ID=... WHOOP_CLIENT_SECRET=... npx whoop-ai-mcp setup --verify

If the Claude Desktop config file already contains a whoop MCP entry from a previous setup, the wizard short-circuits — it reads the existing credentials, prints Existing whoop entry found in <path>, and either verifies them (with --verify) or exits without rewriting the file. To overwrite an existing entry, pass explicit --client-id / --client-secret flags.

Precedence: --client-id / --client-secret flags > existing claude-desktop config > WHOOP_CLIENT_ID / WHOOP_CLIENT_SECRET env vars > interactive prompts.

Example session:

shashankmishra@Shashanks-MacBook-Pro ~ % npx whoop-ai-mcp setup --client=claude-desktop
WHOOP MCP — Setup Wizard
------------------------

WHOOP Client ID (from https://developer.whoop.com): xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
WHOOP Client Secret (input hidden): ****************************************************************

Claude Desktop config written: /Users/shashankmishra/Library/Application Support/Claude/claude_desktop_config.json
Previous config backed up to: /Users/shashankmishra/Library/Application Support/Claude/claude_desktop_config.json.bak
Restart Claude Desktop to load the new server.

Re-running against an already-configured Claude Desktop install (existing whoop entry in claude_desktop_config.json) short-circuits to a verification-only flow — no prompts, no rewrite:

shashankmishra@Shashanks-MacBook-Pro ~ % whoop-ai-mcp setup --verify
WHOOP MCP — Setup Wizard
------------------------

Target client (claude-desktop / claude-code) [claude-desktop]:
Existing whoop entry found in /Users/shashankmishra/Library/Application Support/Claude/claude_desktop_config.json.

Verifying credentials with WHOOP...
Cached tokens expired, attempting refresh...
Token refresh successful.
OAuth flow complete. Fetching profile...
Profile OK: {"user_id":35253045,"email":"[email protected]","first_name":"Shashank","last_name":"Mishra"}

Existing config verified — no changes made.

Configuration

Environment Variables

Set these in your Claude Desktop config (see Quickstart) or as shell environment variables:

export WHOOP_CLIENT_ID=your_client_id
export WHOOP_CLIENT_SECRET=your_client_secret

Creating a WHOOP Developer App

1. Go to developer.whoop.com
2. Create a new application
3. Set the Redirect URI to http://localhost:3000/callback
4. Set the Privacy Policy URL (required by WHOOP) — you can use https://github.com/shashankswe2020-ux/whoop-mcp or your own URL
5. Enable the following scopes:
   • read:profile
   • read:recovery
   • read:sleep
   • read:workout
   • read:cycles
   • read:body_measurement
6. Copy the Client ID and Client Secret

Tools

get_profile

Get the authenticated user's basic profile — name and email.

Parameters: None

get_body_measurement

Get the user's body measurements — height, weight, and max heart rate.

Parameters: None

get_recovery_collection

Get recovery scores for a date range. Returns HRV, resting heart rate, SpO2, and skin temp for each day.

Parameters:

get_sleep_collection

Get sleep records for a date range. Returns sleep stages, duration, respiratory rate, and performance scores.

Parameters:

get_workout_collection

Get workout records for a date range. Returns strain, heart rate zones, calories, and sport type.

Parameters:

get_cycle_collection

Get physiological cycles for a date range. Returns strain, calories, and heart rate data per cycle.

Parameters:

get_sleep_by_id

Get a single sleep record by ID. Returns sleep stages, duration, respiratory rate, and performance scores.

Parameters:

get_workout_by_id

Get a single workout record by ID. Returns strain, heart rate zones, calories, and sport type.

Parameters:

get_cycle_by_id

Get a single physiological cycle by ID. Returns strain, calories, and heart rate data.

Parameters:

get_weekly_summary

Get a summarized health report for a given week — average recovery, HRV, RHR, sleep duration and quality, workout count and strain, plus recovery trend direction.

Parameters:

compare_periods

Compare health metrics between two time periods — shows improvement or regression in recovery, sleep, and strain.

Parameters:

get_trend

Analyze a health metric trend over time — detects direction (improving/declining/stable), variability, and anomalies using linear regression.

Parameters:

get_today

Get today's complete health snapshot — recovery score, last night's sleep, current strain, and last workout in one call. Perfect for "how am I doing today?" questions.

Parameters: None

Returns: Recovery score with zone, sleep breakdown (hours, stages, performance), current strain, last workout (sport + strain), and a human-readable summary.

get_calendar

Get a day-by-day grid of recovery, sleep, and strain for a date range. Perfect for weekly/monthly overviews.

Parameters:

Returns: Per-day grid with recovery score + zone (green/yellow/red), sleep hours, sleep performance, and strain. Includes period averages.

Supported Date Expressions

All collection tools and get_calendar accept natural language date expressions (case-insensitive):

Resources

MCP Resources provide ambient health context — AI assistants can read your current health state without explicit tool calls.

Privacy: Resources expose the same data available through tools — they simply make it accessible as ambient context. No additional WHOOP scopes are required. Data is cached in-memory with short TTLs and invalidated on token refresh.

To disable resources: set WHOOP_MCP_DISABLE_RESOURCES=1.

Caching

Read requests can be served from a shared in-memory cache (LRU + TTL) to cut redundant WHOOP API calls and improve latency. The same cache backs both MCP resources and tools such as get_today, so a warm cache answers repeat queries without hitting the API.

• Cache keys are normalized by request path with sorted query params; no tokens are ever part of a cache key.
• Concurrent identical requests are de-duplicated (single in-flight fetch — stampede prevention).
• The entire cache is cleared on token refresh.

Write Operations

The server is read-only today — WHOOP does not currently expose public write endpoints, so no write tools are registered. The codebase ships a future-ready write-safety pattern (withPreview()) so that mutations, if WHOOP adds them, follow a safe two-phase flow:

1. Preview (confirm: false) — returns a WritePreview describing exactly what would change, plus a generated idempotency_key. Nothing is written.
2. Confirm (confirm: true) — executes the write and returns a WriteReceipt carrying the same idempotency_key, so retried confirms never create duplicate records.

This gives an AI assistant a built-in "show me before you do it" checkpoint and makes retries safe by construction. See src/tools/write-safety.ts.

Prompts

Pre-built conversation starters that guide you into useful health queries:

Authentication

whoop-ai-mcp uses OAuth2 Authorization Code flow with PKCE:

1. First run: A browser window opens for you to authorize with WHOOP
2. Token caching: Access and refresh tokens are saved to ~/.whoop-mcp/tokens.json
3. Auto-refresh: When the access token expires, it's automatically refreshed using the stored refresh token
4. Re-authentication: If the refresh token expires, you'll be prompted to authorize again

Token files are stored with 0600 permissions (user-only read/write).

Troubleshooting

"Missing required environment variable: WHOOP_CLIENT_ID"

Your WHOOP credentials aren't set. Add them to your Claude Desktop config or set them as environment variables. See Configuration.

"Network error: Unable to reach the WHOOP API"

Check your internet connection. The WHOOP API must be reachable at https://api.prod.whoop.com.

"WHOOP API returned 429"

You've hit the rate limit. The server retries automatically with exponential backoff (up to 3 attempts). If this persists, reduce the frequency of your requests.

"WHOOP API returned 401"

Your access token has expired. The server attempts an automatic refresh. If that fails, delete ~/.whoop-mcp/tokens.json and restart to re-authenticate:

rm ~/.whoop-mcp/tokens.json

Browser doesn't open during authentication

If the browser doesn't open automatically, check the terminal output for the authorization URL and open it manually.

Testing with MCP Inspector

You can interactively test the server using the MCP Inspector — a browser-based tool for exploring and invoking MCP tools.

WHOOP_CLIENT_ID=your_client_id \
WHOOP_CLIENT_SECRET=your_client_secret \
WHOOP_REDIRECT_URI=http://localhost:3000/callback \
npx @modelcontextprotocol/inspector node dist/index.js

Then open http://localhost:6274 in your browser. The Inspector connects to the server, lists all available tools, and lets you invoke them with custom parameters.

OAuth grant access screen (first-run authorization):

Testing get_profile tool in MCP Inspector:

Deployment (Docker + Cloud Hosting)

The HTTP transport (MCP_TRANSPORT=http) makes this server suitable for remote hosting so that web/mobile MCP clients (e.g. claude.ai connectors) can connect to your personal WHOOP data over the network. A production-ready Dockerfile is included.

Security warning. When running over HTTP you are exposing your WHOOP data behind a single bearer token. Use a strong random MCP_AUTH_TOKEN (openssl rand -hex 32), only deploy behind TLS, restrict MCP_ALLOWED_ORIGINS, and treat the host as a personal-use deployment — not a multi-tenant service.

Image characteristics

• Multi-stage build on node:22-alpine (compressed pull size ~58 MB; uncompressed ~258 MB — the floor is set by the Node.js runtime itself).
• Runs as the unprivileged built-in node user (UID 1000).
• tini as PID 1 for clean signal forwarding (graceful shutdown).
• Health check uses Node's native fetch against /health — no curl/wget baked into the image.
• All configuration is supplied at runtime via env vars; no secrets are baked into image layers.

Build & run locally

docker build -t whoop-mcp .

# Smoke test (runs node, prints "ok", exits)
docker run --rm whoop-mcp node -e "console.log('ok')"

# Run the HTTP server
docker run --rm -p 3000:3000 \
  -e MCP_AUTH_TOKEN="$(openssl rand -hex 32)" \
  -e WHOOP_CLIENT_ID="your-client-id" \
  -e WHOOP_CLIENT_SECRET="your-client-secret" \
  -e MCP_ALLOWED_ORIGINS="https://claude.ai" \
  whoop-mcp

# Health check
curl http://localhost:3000/health

Required env vars (HTTP mode):

Fly.io

Fly.io deploys directly from the Dockerfile and gives you a free TLS-terminated public URL.

# One-time: install flyctl, sign in, and create the app from this repo's Dockerfile
brew install flyctl
fly auth login
fly launch --no-deploy --copy-config --name whoop-mcp-<your-suffix>

# Set secrets (these are encrypted and injected as env at runtime — never baked in)
fly secrets set \
  MCP_AUTH_TOKEN="$(openssl rand -hex 32)" \
  WHOOP_CLIENT_ID="..." \
  WHOOP_CLIENT_SECRET="..." \
  MCP_TRUST_PROXY=1

# Deploy
fly deploy
fly status
fly logs

In your generated fly.toml, make sure the HTTP service points at port 3000 and that force_https = true is set under [[http_service]]. Fly handles TLS termination, so MCP_TRUST_PROXY=1 is required for accurate client IPs in logs and rate-limit decisions.

Railway

Railway auto-detects the Dockerfile.

1. Create a new project from this GitHub repo (or railway up from a clone).
2. In Variables, add MCP_AUTH_TOKEN, WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and MCP_TRUST_PROXY=1.
3. Under Settings → Networking, generate a public domain. Railway terminates TLS for you.
4. Deploy. Health check path: /health.

Other platforms

The image is a stock OCI artifact and runs anywhere Docker does — Render, Cloud Run, Kubernetes, Hetzner, etc. The only platform-specific knob is MCP_TRUST_PROXY=1 whenever you sit behind a TLS-terminating proxy.

Connecting from claude.ai (OAuth 2.1 connector)

Claude Desktop and Claude Code can use the static MCP_AUTH_TOKEN bearer directly. The claude.ai web/mobile clients expect an OAuth 2.1 connector with PKCE — set the three env vars below and the server mounts the connector automatically on the same port as /mcp:

fly secrets set \
  MCP_CONNECTOR_PASSWORD="$(openssl rand -base64 24)" \
  PUBLIC_URL="https://whoop-mcp-<your-suffix>.fly.dev" \
  ALLOWED_REDIRECT_URIS="https://claude.ai/api/mcp/auth_callback"

• MCP_CONNECTOR_PASSWORD (≥12 chars) — the human-facing password you'll type into the claude.ai connector dialog. Treat it like any other shared secret.
• PUBLIC_URL — the public https:// origin claude.ai will reach. Used as the OAuth issuer (e.g. https://example.com → metadata at /.well-known/oauth-authorization-server).
• ALLOWED_REDIRECT_URIS — comma-separated exact-match allowlist. For claude.ai the value is https://claude.ai/api/mcp/auth_callback.
• Optional: MCP_JWT_SECRET overrides the JWT signing key (defaults to an HKDF derivation from MCP_AUTH_TOKEN); MCP_OAUTH_CLIENT_ID overrides the advertised client id (default whoop-mcp-connector).

In claude.ai → Settings → Connectors → Add custom connector, point it at PUBLIC_URL/mcp and supply MCP_CONNECTOR_PASSWORD when prompted.

Development

Setup

git clone https://github.com/shashankswe2020-ux/whoop-mcp.git
cd whoop-mcp
npm install

Commands

Project Structure

src/
├── index.ts              # Entry point — auth, client, server, stdio
├── server.ts             # MCP server + tool/resource/prompt registration
├── auth/
│   ├── oauth.ts          # OAuth2 Authorization Code flow
│   ├── token-store.ts    # Secure token persistence
│   └── callback-server.ts # Local OAuth callback server
├── api/
│   ├── client.ts         # HTTP client with retry + refresh
│   ├── pagination.ts     # Auto-pagination utility (fetchAllPages)
│   ├── types.ts          # WHOOP API response types
│   └── endpoints.ts      # API URL constants
├── resources/
│   └── index.ts          # MCP Resource handlers (4 resources)
├── tools/
│   ├── get-profile.ts
│   ├── get-recovery.ts
│   ├── get-sleep.ts
│   ├── get-workout.ts
│   ├── get-cycle.ts
│   ├── get-body-measurement.ts
│   ├── get-sleep-by-id.ts
│   ├── get-workout-by-id.ts
│   ├── get-cycle-by-id.ts
│   ├── get-weekly-summary.ts   # Analytical: weekly health report
│   ├── compare-periods.ts      # Analytical: period comparison
│   ├── get-trend.ts            # Analytical: trend detection
│   ├── get-today.ts            # Composite: today's snapshot
│   ├── get-calendar.ts         # Grid: multi-day calendar view
│   ├── date-utils.ts           # Relative date expression parser
│   ├── stats-utils.ts          # Statistics (mean, median, regression)
│   └── collection-utils.ts
├── prompts/
│   └── index.ts                # MCP Prompt handlers (5 prompts)
└── resources/
    └── index.ts                # MCP Resource handlers (4 resources)

Releases & npm Package

This project is published on npm as whoop-ai-mcp.

npm install -g whoop-ai-mcp

Or run directly with npx:

npx whoop-ai-mcp

Release Process

1. Update the version in package.json and add a new entry in CHANGELOG.md
2. Commit the changes: git commit -am "Release vX.Y.Z"
3. Tag the release: git tag vX.Y.Z
4. Push the commit and tag: git push origin main vX.Y.Z
5. The Release workflow automatically creates a GitHub Release with notes extracted from the changelog
6. The npm publish workflow automatically publishes the new version to npm

Changelog

See CHANGELOG.md for a full list of changes in each release.

Privacy notes for analytical tools

The analytical tools — get_weekly_summary, get_trend, and compare_periods — return pre-computed statistical summaries derived from your underlying recovery / sleep / cycle / workout records. No new health data is exposed beyond what the per-record collection tools already return (get_recovery_collection, get_sleep_collection, etc.), but the aggregated form is more concentrated and easier to scan over time. In particular, the anomalies array returned by get_trend flags days that deviate from your personal baseline — such days may correlate with illness, injury, travel, or lifestyle changes.

If you connect this MCP server to a remote AI assistant (rather than a local one), be aware that those summaries will be sent to that assistant in the same way any other tool result is. All data continues to flow only between the WHOOP API, this MCP server running on your machine, and the assistant you explicitly invoke — there is no third-party telemetry.

Contributing

See CONTRIBUTING.md for development workflow, coding conventions, and the project's Copilot agent/skill configuration.

License

MIT